Issue link: https://insights.oneneck.com/i/1458399
CHAPTER 4 Leveraging Unmatched Threat Protection 47 These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. What Is a Perimeter? In the not-too-distant past, security vendors, network architects, and security practitioners described networks in terms of the "untrusted" public Internet and the "trusted" internal corporate network with firewalls deployed at the network perimeter. But the network perimeter has become a relic of a bygone era when everything was simple: black or white, good or bad, "trusted" or "untrusted." The reality is that attackers have always exploited relatively weak security designs that relied on the firewall as the arbiter of trust between the Internet and the corporate network. Once inside, attackers had — and continue to have — free rein in the data center and on the network, because trust is assumed. This threat is further exacerbated by the fact that legacy port-based firewalls deployed at the network perimeter only inspect north–south traffic (traffic passing between different zones, such as from an on-premises data center to the Internet or to a public cloud). These firewalls have no visibility into east–west traffic (traf- fic between systems and applications inside the data center or cloud), which today constitutes the majority of data center and hybrid cloud network traffic. Further exacerbating the challenges of a perimeter-based secu- rity architecture is the fact that most enterprises today operate a hybrid cloud environment composed of a combination of on- premises data centers, private clouds, and public clouds including software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) offerings. Mobile and remote users are also accessing enterprise computing resources in data centers and in the cloud from a multitude of devices from practi- cally anywhere in the world. Thus, the traditional network perim- eter today is everywhere — and yet it is nowhere. Today, perimeter-based security has to be defined at a more granular level than, say the logical boundary between a data cen- ter environment and the Internet. Perimeters, or trust boundaries between trust zones, must be defined at multiple layers within a hybrid cloud for both north-south and east-west traffic. A trust zone may be composed of a single resource, such as a virtual machine (VM), or a group of resources within a defined virtual network. Trust zones and trust boundaries are also dynamic. They